[Bug 1016643] Re: add-apt-repository downloads gpg key in an insecure fashion
Zooko Wilcox-O'Hearn
zooko at zooko.com
Mon Sep 17 18:24:31 UTC 2012
By the way, this patch replaced a regexp with json.loads():
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/software-
properties/quantal/revision/77
That was good, because a regexp could have been vulnerable to some sort
of xss/injection sort of problem. But, the patch mistakenly left the
following no-longer-true comment in place:
# we ask for a JSON structure from lp_page, we could use
# simplejson, but the format is simple enough for the regexp
That comment should be removed.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
Status in GNU Privacy Guard:
Fix Released
Status in “apt” package in Ubuntu:
Confirmed
Status in “gnupg” package in Ubuntu:
Fix Released
Status in “gnupg2” package in Ubuntu:
Fix Released
Status in “software-properties” package in Ubuntu:
Invalid
Status in “apt” source package in Lucid:
Confirmed
Status in “gnupg” source package in Lucid:
Fix Released
Status in “gnupg2” source package in Lucid:
Fix Released
Status in “software-properties” source package in Lucid:
Invalid
Status in “apt” source package in Natty:
Confirmed
Status in “gnupg” source package in Natty:
Fix Released
Status in “gnupg2” source package in Natty:
Fix Released
Status in “software-properties” source package in Natty:
Invalid
Status in “apt” source package in Oneiric:
Confirmed
Status in “gnupg” source package in Oneiric:
Fix Released
Status in “gnupg2” source package in Oneiric:
Fix Released
Status in “software-properties” source package in Oneiric:
Invalid
Status in “apt” source package in Precise:
Confirmed
Status in “gnupg” source package in Precise:
Fix Released
Status in “gnupg2” source package in Precise:
Fix Released
Status in “software-properties” source package in Precise:
Invalid
Status in “apt” source package in Quantal:
Confirmed
Status in “gnupg” source package in Quantal:
Fix Released
Status in “gnupg2” source package in Quantal:
Fix Released
Status in “software-properties” source package in Quantal:
Invalid
Status in “apt” source package in Hardy:
Confirmed
Status in “gnupg” source package in Hardy:
Fix Released
Status in “gnupg2” source package in Hardy:
Fix Released
Status in “software-properties” source package in Hardy:
Invalid
Bug description:
add-apt-repository can add PPAs and automatically import the PPA gpg
key.
Unfortunately, it uses apt-key, which in turn uses gpg to download the
key from a keyserver.
gpg downloads keys from keyservers using the short key id, which is
trivial to collide.
It is therefore possible to either MITM the point where gpg downloads
the key from the keyserver, or to simply upload a second colliding key
to the keyserver. This can result in being able to MITM packages
installed from PPAs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1016643/+subscriptions
More information about the foundations-bugs
mailing list